|
|
|
Question : Active Directory GPO to modify local admin account password
|
|
I know there is a way to rename the local administrator account using GPO...is there a way to also modify the password to be used by that renamed local administrator account? The IT person here before me has the following two settings:
Accounts: Limit local account us of blank passwords to console logon only: "Enabled"
Accounts: Rename administrator account: "abcd"
To me, this means that if someone knows that we have a policy to rename the local admin account to "abcd" that they could log on locally without a password by signing on as "abcd" (if they were to know about this)
We have a policy that doesn't allow anybody but an administrator to install software to a PC in our group...so this seems like a potential flaw to me.
|
Answer : Active Directory GPO to modify local admin account password
|
|
> "To me, this means that if someone knows that we have a policy to rename the local admin account to "abcd" that they could log on locally without a password by signing on as "abcd" (if they were to know about this)"
Incorrect. All this means is that the local admin account on each affected workstation has been renamed to 'abcd'; any user attempting to log on as this 'abcd' user would still require knowledge of the local administrator password. The 2nd setting simply means that, if the local admin account IS configured with a blank password, anyone logged on as the local admin cannot log onto any network resources with that account, only to local machine resources. It in no way enforces a blank administrator password; that would, as you indicate, be a security flaw.
As for changing the local administrator password using GPO, this is not possible. Best bet is to use cusrmgr from your administrative workstation as described here: http://support.microsoft.com/kb/272530
|
|
|
|
|
|
|
